Vulnerabilities

Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public. The issue is fixed in version 0.27.5 and 0.28.0. As a workaround, disable the templates functionality or remove all available templates.

Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue creates vulnerable dependencies starting in version 0.0.1.alpha3 and prior to versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems. When using the password reset functionality, the `devise_invitable` gem always accepts the pending invitation if the user has been invited. The only check done is if the user has been invited but the code does not ensure that the pending invitation is still valid as defined by the `invite_for` expiry period. Decidim sets this configuration to `2.weeks` so this configuration should be respected. The bug is in the `devise_invitable` gem and should be fixed there and the dependency should be upgraded in Decidim once the fix becomes available. `devise_invitable` to version `2.0.9` and above fix this issue. Versions 0.26.9, 0.27.5, and 0.28.0 of the `decidim,` `decidim-admin`, and `decidim-system` gems contain this fix. As a workaround, invitations can be cancelled directly from the database.

Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uploaded to the server. This appears in sections where the user controls the file upload dialogs themselves and has the technical knowledge to change the file names through the dynamic upload endpoint. Therefore I believe it would require the attacker to control the whole session of the particular user but in any case, this needs to be fixed. Successful exploit of this vulnerability would require the user to have successfully uploaded a file blob to the server with a malicious file name and then have the possibility to direct the other user to the edit page of the record where the attachment is attached. The users are able to craft the direct upload requests themselves controlling the file name that gets stored to the database. The attacker is able to change the filename e.g. to `` if they know how to craft these requests themselves. And then enter the returned blob ID to the form inputs manually by modifying the edit page source. Versions 0.27.5 and 0.28.0 contain a patch for this issue. As a workaround, disable dynamic uploads for the instance, e.g. from proposals.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix potential OOBs in smb2_parse_contexts()<br /> <br /> Validate offsets and lengths before dereferencing create contexts in<br /> smb2_parse_contexts().<br /> <br /> This fixes following oops when accessing invalid create contexts from<br /> server:<br /> <br /> BUG: unable to handle page fault for address: ffff8881178d8cc3<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 4a01067 P4D 4a01067 PUD 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS<br /> rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br /> RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]<br /> Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00<br /> 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 b7<br /> 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00<br /> RSP: 0018:ffffc900007939e0 EFLAGS: 00010216<br /> RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90<br /> RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000<br /> RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000<br /> R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000<br /> R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22<br /> FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die+0x23/0x70<br /> ? page_fault_oops+0x181/0x480<br /> ? search_module_extables+0x19/0x60<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? exc_page_fault+0x1b6/0x1c0<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? smb2_parse_contexts+0xa0/0x3a0 [cifs]<br /> SMB2_open+0x38d/0x5f0 [cifs]<br /> ? smb2_is_path_accessible+0x138/0x260 [cifs]<br /> smb2_is_path_accessible+0x138/0x260 [cifs]<br /> cifs_is_path_remote+0x8d/0x230 [cifs]<br /> cifs_mount+0x7e/0x350 [cifs]<br /> cifs_smb3_do_mount+0x128/0x780 [cifs]<br /> smb3_get_tree+0xd9/0x290 [cifs]<br /> vfs_get_tree+0x2c/0x100<br /> ? capable+0x37/0x70<br /> path_mount+0x2d7/0xb80<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? _raw_spin_unlock_irqrestore+0x44/0x60<br /> __x64_sys_mount+0x11a/0x150<br /> do_syscall_64+0x47/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6f/0x77<br /> RIP: 0033:0x7f8737657b1e

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center.<br /> <br /> This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.<br /> Data Center<br /> <br /> Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> ||Affected versions||Fixed versions||<br /> |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2|<br /> |from 8.6.0 to 8.6.1|8.8.0 recommended|<br /> |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS|<br /> |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS|<br /> |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS|<br /> |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS|<br /> |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS|<br /> Server<br /> <br /> Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br />  <br /> ||Affected versions||Fixed versions||<br /> |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended |<br /> |from 8.4.0 to 8.4.5|8.5.6 LTS recommended|<br /> |from 8.3.0 to 8.3.4|8.5.6 LTS recommended|<br /> |from 8.2.0 to 8.2.3|8.5.6 LTS recommended|<br /> |from 8.1.0 to 8.1.4|8.5.6 LTS recommended|<br /> |from 8.0.0 to 8.0.4|8.5.6 LTS recommended|<br /> |from 7.20.0 to 7.20.3|8.5.6 LTS recommended|<br /> |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS|<br /> |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS|<br /> |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS|<br /> |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS|<br /> <br /> See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]).<br /> <br /> This vulnerability was reported via our Bug Bounty program.

Certain HP LaserJet Pro, HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to Remote Code Execution due to buffer overflow when rendering fonts embedded in a PDF file.

An arbitrary file upload vulnerability in the component /sysFile/upload of Novel-Plus v4.3.0-RC1 allows attackers to execute arbitrary code via uploading a crafted file.

Buffer Overflow vulnerability in mz-automation.de libiec61859 v.1.4.0 allows a remote attacker to cause a denial of service via the mmsServer_handleGetNameListRequest function to the mms_getnamelist_service component.

A double-free vulnerability exists in the BrainVision ASCII Header Parsing functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .vdhr file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

A use-after-free vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

An integer underflow vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to an out-of-bounds write which in turn can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

An out-of-bounds write vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.